Closed deeglaze closed 2 months ago
Have you already considered using the vnd
or prs
sub-trees? They happen to have pretty relaxed registration policies.
When we originally chose to use media types for the type system, one of the major selling points was the possibility of using these kinds of non-standard trees precisely to cover the case you are describing.
Oh interesting I didn't know this piece "public exposure and review of media types to be registered in the vendor tree are not required"
I was worried at the small number of vnd. entries in the media-types table.
@deeglaze do you think we need to add prose to the draft to address your questions?
It might be important to distinguish between formats that are truly vendor specific and formats that are based on a standard format but underspecified. This could happen if the vendor extends the standard (and doesn't define the extensions in a profile) or has an underspecified profile.
It might be important to distinguish between formats that are truly vendor specific and formats that are based on a standard format but underspecified. This could happen if the vendor extends the standard (and doesn't define the extensions in a profile) or has an underspecified profile.
Do you think we should add these considerations to the CMW document?
Or is there a separate "Considerations on the use of media types in RATS" document that we should start putting together?
It might be important to distinguish between formats that are truly vendor specific and formats that are based on a standard format but underspecified. This could happen if the vendor extends the standard (and doesn't define the extensions in a profile) or has an underspecified profile.
Do you think we should add these considerations to the CMW document?
Or is there a separate "Considerations on the use of media types in RATS" document that we should start putting together?
Maybe the latter is best.
Is there anything to do here or can we close the issue?
I think we just need a CMW usage best practices doc.
I'm having trouble determining which content type to suggest for any of the evidence formats I'm working with, given that they're all binary formats specified by vendors or the TCG. Is the intention for AMD, Intel, TCG, and CNCF to all apply for application content types for formats they will specify themselves? I wouldn't want to say application/cbor for binary that doesn't have the major type tag for CBOR bytes, for example. The
ind
field is for hinting at the expected interpretation of the underspecified media type, so it'd be nice to have an appropriate underspecified media type that is basically "binary evidence for RATS". The examples use undefined example media types and theapplication/eat+jwt
type, but nothing prior to attestation results that can be sent to a remote attestation verifier.I'd say we should encourage folks to avoid using cmw-collection labels as "standard" ways to interpret the data carried in the value, but while a format is developed for a new form of attestation, it'd be nice to have a kind of catch-all for underspecified binary evidence content.